Web Security

Last week, WordPress released version 5.2.3 which was a security and maintenance update, and as such, contained many security fixes. Part of our day to day work is to analyse these security releases, discover what security issue it is fixing and come up with a Proof of Concept for further internal testing.

Based on our analysis, none of the vulnerabilities fixed in this release are major. They all require some level of privileged-user interaction or access to high-privilege accounts.

In an interview with Smashing Magazine our CoFounder (now Head of Security Products at GoDaddy) Tony Perez was asked the following question.

What Makes WordPress Vulnerable?

“Here’s the simple answer. Old versions of WordPress, along with theme and plugin vulnerabilities, multiplied by the CMS’ popularity, with the end user thrown into the mix, make for a vulnerable website.” – Tony Perez

The most common threats to any CMS are associated with vulnerabilities that have been introduced by third-party modules, plugins, themes and extensions.

When our tools don’t automatically detect and clean malicious code, that’s when we start our investigation process—and the majority of these research findings end up on the blog or as a Labs note.

However, other times we update our tools to automatically detect and remediate the malware, then stash the code sample in our zoo along with some research notes… And there it stays, gathering dust, spiderwebs, and other nasty stuff.

Revisiting those old notes and malicious code samples to re-evaluate them is not only a good research exercise, but also interesting to share.

Before we get into the details of “Cryptocurrency Mining Malware”, we need to understand first what cryptocurrency is and what miners are.

What is Cryptocurrency?

Cryptocurrency is best thought of as digital currency and it only exists on computers. It is transferred between peers (there is no middleman like a bank). Transactions are then recorded on a digital public ledger called the “blockchain”.

Transaction data and the ledger are encrypted using cryptography (which is why it is called “crypto” “currency”).

These days, we consider a malware campaign massive if it affects a couple thousand websites. However, back in the day when Sucuri first started its operations, the scale of infections was significantly larger — and it was quite typical to see hundreds of thousands of websites affected by the same malware.

This was mostly because early versions of CMS’ were not very secure but already popular enough to power millions of websites. Extension developers also didn’t bother much about security.

If you have an ecommerce website, you are certainly concerned about its security. Business revenue depends on your online presence and having a website compromise is far from desirable.

In order to have a successful ecommerce business, you need to follow the requirements outlined by the Payment Card Industry Data Security Standards (PCI DSS). The major credit card companies are behind the PCI requirements whose goal it is to ensure there’s secure credit cardholder information transmission, storage, and handling.

Cookies! I LOVE Cookies. Oatmeal raisin are one of my particular favorite flavors.

However, we’re not here to talk about baked goods as much as I’d love to. We’re here to talk about itty bitty little files stored on your local machine, also called cookies. We’ve often come across several users inquiring about what they are and so we’re here to help provide some clarity. Let’s dig in!

A DDoS (Distributed Denial of Service) is an attack that focuses on making the website unavailable to its legitimate users. DDoS attacks can produce service interruptions, introduce large response delays, and cause various business losses.

Denial-of-Service Attacks result in two ways —they either flood services or crash services. Attackers execute DDoS through computers and smart devices. Given this, it’s common for attackers to make use of IoT devices that are internet-accessible. IoT devices refers to any electronic that can connect to the internet and transmit data, such as toys, smart TVs, and monitors of any kind.

At Sucuri, we understand that most web professionals and web agencies ultimately need to make their clients part of the decision-making process for choosing to secure their sites.

Overall, website security sounds like a good thing, but how do you position the value of Sucuri’s website security to clients who don’t know (or even care to know) the specifics behind what website security would offer them?